[Devel] [PATCH 15/17] memcg: forbid setting memory.oom_guarantee from inside a container
Vladimir Davydov
vdavydov at parallels.com
Fri Aug 14 10:03:39 PDT 2015
For simplicity, we do not implement hierarchy support for oom_guarantee
knob. Instead, we take it into account only on global OOM and only for
those memory cgroups that are assigned to a beancounter. To avoid
complaints from container users that the knob does not work as expected,
let's forbid setting it from inside a container.
Signed-off-by: Vladimir Davydov <vdavydov at parallels.com>
---
mm/memcontrol.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/mm/memcontrol.c b/mm/memcontrol.c
index 505952f22ea9..86c0500bf508 100644
--- a/mm/memcontrol.c
+++ b/mm/memcontrol.c
@@ -5238,6 +5238,18 @@ static int mem_cgroup_oom_guarantee_write(struct cgroup *cont,
unsigned long long val;
int ret;
+ /*
+ * Although the knob for setting OOM guarantee lives in the memory
+ * cgroup, the logic behind it is implemented per beancounter, i.e. it
+ * only makes sense to set it for a memory cgroup assigned to a
+ * container via beancounter.memory, otherwise its value will be
+ * silently ignored. To avoid complaints from container users that the
+ * knob does not work as expected, we forbid setting it from inside a
+ * container.
+ */
+ if (!ve_is_super(get_exec_env()))
+ return -EACCES;
+
ret = res_counter_memparse_write_strategy(buffer, &val);
if (ret)
return ret;
--
2.1.4
More information about the Devel
mailing list